Hello,
We observed a kernel panic due to a null pointer dereference in the USB stack while sending malformed USB hub packets.
Testing was done on a Galileo board, using kernel version 4.1.8 (image built with Yocto project).
Output of /proc/version: Linux version 4.1.8-yocto-standard (REDACTED) (gcc version 5.2.0 (GCC) ) #1 PREEMPT Fri Oct 30 15:05:46 EET 2015
Please see full call trace at the end of the mail and reproduction steps.
Running in debug mode, part of the call trace is displayed, along with:
<6,ý<6,ý (null): activate --> -19
which links to drivers/usb/core/hub.c:1239 , function hub_activate (init3). This shows that hub->intfdev is null.
1240 init3:
1241 hub->quiescing = 0;
1242
1243 status = usb_submit_urb(hub->urb, GFP_NOIO);
1244 if (status < 0)
1245 dev_err(hub->intfdev, "activate --> %d\n", status);
If you need additional info, please let us know.
----------------------------- Reproduction steps ----------------------
Testing was done with Facedancer [1] and umap [2] script.
If you have a Facedancer board, you can reproduce the issue by issuing the below command, where ttyUSBX is the connected Facedancer board. Issue does not reproduce 100%, so you can call this several times until you hit the issue (usually max 3 times).
# python3 umap.py -P /dev/ttyUSBX -s 09:00:00:E:01
[...]
Fuzzing:
09:00:00 - Hub : Default : Default
**SUPPORTED**
2015/11/10 17:15:35 Enumeration phase: 0001 - Device_bLength_lower
Hub descriptor in umap.py:
hub_descriptor = bytes([
bLength, # length of descriptor in bytes
bDescriptorType, # descriptor type 0x29 == hub
bNbrPorts, # number of physical ports
HubCharacteristics & 0xff , # hub characteristics
(wHubCharacteristics >> 8) & 0xff,
bPwrOn2PwrGood, # time from power on til power good
bHubContrCurrent, # max current required by hub controller
DeviceRemovable,
PortPwrCtrlMask
])
[1] http://goodfet.sourceforge.net/hardware/facedancer21/
[2] https://github.com/umap-project/umap
--------------------------------- Call trace ----------------------------
usb 2-1: new full-speed USB device number 5 using ohci-pci
usb 2-1: not running at top speed; connect to a high speed hub
hub 2-1:1.0: USB hub found
hub 2-1:1.0: 4 ports detected
usb 2-1: USB disconnect, device number 5
------------[ cut here ]------------
WARNING: CPU: 0 PID: 0 at REDACTED/build/tmp-glibc/work-shared/intel-quark/kernel-source/kernel/workqueue.c:606 insert_work+0x8b/0xa0()
Modules linked in: 8021q iio_trig_sysfs industrialio ohci_pci ohci_hcd efivarfs
CPU: 0 PID: 0 Comm: swapper Not tainted 4.1.6-yocto-standard #1
Hardware name: Intel Corp. QUARK/GalileoGen2, BIOS 0x01000200 01/01/2014
00000000 00000000 cd033ea0 c9d08075 cd033ed0 c9645313 c9e295e8 00000000
00000000 c9e2a18c 0000025e c965814b c965814b cdde0a00 ce2ba8e8 c9f0d660
cd033ee0 c96453e2 00000009 00000000 cd033efc c965814b c9f0d670 00000005
Call Trace:
[<c9d08075>] dump_stack+0x16/0x18
[<c9645313>] warn_slowpath_common+0x83/0xb0
[<c965814b>] ? insert_work+0x8b/0xa0
[<c965814b>] ? insert_work+0x8b/0xa0
[<c96453e2>] warn_slowpath_null+0x22/0x30
[<c965814b>] insert_work+0x8b/0xa0
[<c965829f>] __queue_work+0x13f/0x3b0
[<c9658590>] ? execute_in_process_context+0x50/0x50
[<c96585a5>] delayed_work_timer_fn+0x15/0x20
[<c9688220>] call_timer_fn+0x30/0x130
[<c965f0ee>] ? put_cred_rcu+0x6e/0xb0
[<c99a00af>] ? __this_cpu_preempt_check+0xf/0x20
[<c968853d>] run_timer_softirq+0x14d/0x2e0
[<c9658590>] ? execute_in_process_context+0x50/0x50
[<c96482f4>] __do_softirq+0x84/0x260
[<c9648270>] ? __local_bh_enable_ip+0x90/0x90
[<c9603e21>] do_softirq_own_stack+0x31/0x40
<IRQ> [<c96485ee>] irq_exit+0x6e/0x90
[<c9d0dc06>] smp_apic_timer_interrupt+0x36/0x40
[<c9d0d40d>] apic_timer_interrupt+0x2d/0x40
[<c960a91d>] ? default_idle+0x1d/0xd0
[<c960b35e>] arch_cpu_idle+0xe/0x10
[<c966e772>] cpu_startup_entry+0x2e2/0x350
[<c9d05032>] rest_init+0x72/0x80
[<c9f9ea7c>] start_kernel+0x359/0x35e
[<c9f9e2c3>] i386_start_kernel+0x8d/0x91
---[ end trace 163d665e0e9a46d2 ]---
------------[ cut here ]------------
WARNING: CPU: 0 PID: 20 at REDACTED/build/tmp-glibc/work-shared/in
tel-quark/kernel-source/include/linux/kref.h:47 usb_get_urb.part.0+0x27/0x30()
Modules linked in: 8021q iio_trig_sysfs industrialio ohci_pci ohci_hcd efivarfs
CPU: 0 PID: 20 Comm: kworker/0:1 Tainted: G W 4.1.6-yocto-standard #1
Hardware name: Intel Corp. QUARK/GalileoGen2, BIOS 0x01000200 01/01/2014
Workqueue: events_power_efficient hub_init_func3
00000000 00000000 cd1c7d88 c9d08075 cd1c7db8 c9645313 c9e295e8 00000000
00000014 c9e29494 0000002f c9b04427 c9b04427 ce23c780 00000200 00000010
cd1c7dc8 c96453e2 00000009 00000000 cd1c7dd0 c9b04427 cd1c7ddc c9b04455
Call Trace:
[<c9d08075>] dump_stack+0x16/0x18
[<c9645313>] warn_slowpath_common+0x83/0xb0
[<c9b04427>] ? usb_get_urb.part.0+0x27/0x30
[<c9b04427>] ? usb_get_urb.part.0+0x27/0x30
[<c96453e2>] warn_slowpath_null+0x22/0x30
[<c9b04427>] usb_get_urb.part.0+0x27/0x30
[<c9b04455>] usb_get_urb+0x25/0x30
[<c9b030f5>] usb_hcd_submit_urb+0x25/0x870
[<c9669d93>] ? update_curr+0x93/0x190
[<c99a0092>] ? debug_smp_processor_id+0x12/0x20
[<c9669fbd>] ? __enqueue_entity+0x6d/0x80
[<c9b0496a>] usb_submit_urb+0x27a/0x510
[<c9669d93>] ? update_curr+0x93/0x190
[<c9afd92f>] hub_activate+0x18f/0x520
[<c9669f02>] ? set_next_entity+0x52/0x70
[<c99a0092>] ? debug_smp_processor_id+0x12/0x20
[<c9afdd27>] hub_init_func3+0x17/0x20
[<c9658d9d>] process_one_work+0x11d/0x430
[<c96590e7>] worker_thread+0x37/0x4d0
[<c96590b0>] ? process_one_work+0x430/0x430
[<c965dbda>] kthread+0x9a/0xb0
[<c9d0c9a0>] ret_from_kernel_thread+0x20/0x30
[<c965db40>] ? kthread_worker_fn+0x150/0x150
---[ end trace 163d665e0e9a46d3 ]---
BUG: unable to handle kernel NULL pointer dereference at 0000000b
IP: [<0000000b>] 0xb
*pde = 00000000
Oops: 0010 [#1] PREEMPT
Modules linked in: 8021q iio_trig_sysfs industrialio ohci_pci ohci_hcd efivarfs
CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G W 4.1.6-yocto-standard #1
Hardware name: Intel Corp. QUARK/GalileoGen2, BIOS 0x01000200 01/01/2014
task: cd098920 ti: cd0ee000 task.ti: cd0ee000
EIP: 0060:[<0000000b>] EFLAGS: 00010002 CPU: 0
EIP is at 0xb
EAX: cd3b1610 EBX: cd3b1610 ECX: 00000000 EDX: 00000003
ESI: ce66a05c EDI: ffffffff EBP: cd0efe9c ESP: cd0efe7c
DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
CR0: 8005003b CR2: 0000000b CR3: 0e30d000 CR4: 00100010
Stack:
c966d9d5 00000000 00000001 ce27ddec 00000003 ce27dde8 00000046 00000246
cd0efeac c966da1f 00000000 00000000 cd0efebc c966e2d0 ce23c780 00000000
cd0efec4 c9b04fa8 cd0efedc c9b019b7 ce66a038 cd0efee8 cd0efee8 ce20190c
Call Trace:
[<c966d9d5>] ? __wake_up_common+0x45/0x70
[<c966da1f>] __wake_up_locked+0x1f/0x30
[<c966e2d0>] complete+0x30/0x60
[<c9b04fa8>] usb_api_blocking_completion+0x18/0x20
[<c9b019b7>] __usb_hcd_giveback_urb+0x47/0xb0
[<c9b01a9d>] usb_giveback_urb_bh+0x7d/0xe0
[<c9648956>] tasklet_action+0xa6/0xb0
[<c96482f4>] __do_softirq+0x84/0x260
[<c9d09b52>] ? __schedule+0x222/0x640
[<c96484ed>] run_ksoftirqd+0x1d/0x30
[<c9660a5a>] smpboot_thread_fn+0x13a/0x1f0
[<c9660920>] ? sort_range+0x30/0x30
[<c965dbda>] kthread+0x9a/0xb0
[<c9d0c9a0>] ret_from_kernel_thread+0x20/0x30
[<c965db40>] ? kthread_worker_fn+0x150/0x150
Code: Bad EIP value.
EIP: [<0000000b>] 0xb SS:ESP 0068:cd0efe7c
CR2: 000000000000000b
---[ end trace 163d665e0e9a46d4 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x8600000 from 0xc1000000 (relocation range: 0xc0000000-0xd05effff)
---[ end Kernel panic - not syncing: Fatal exception in interrupt
---
Regards,
Alexandru Cornea
Security QA Engineer
Intel SSG OTC Romania
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
